Bug#776012: RFS: shadowd/1.0.0 [ITP: #775998]

To: Hendrik Buchwald <hb@zecure.org>, 776012@bugs.debian.org
Subject: Bug#776012: RFS: shadowd/1.0.0 [ITP: #775998]
From: Cameron Norman <camerontnorman@gmail.com>
Date: Thu, 22 Jan 2015 14:00:20 -0800
Message-id: <[🔎] 1421964020.1904.0@smtp.gmail.com>
Reply-to: Cameron Norman <camerontnorman@gmail.com>, 776012@bugs.debian.org
In-reply-to: <[🔎] 20150122173322.9160.79205.reportbug@debian>
References: <[🔎] 20150122173322.9160.79205.reportbug@debian>

El jue, 22 de ene 2015 a las 9:33 , Hendrik Buchwald <hb@zecure.org> escribió:

Package: sponsorship-requests Severity: wishlist Dear mentors, I am looking for a sponsor for my package "shadowd". * Package name : shadowd Version : 1.0.0 Upstream Author : Hendrik Buchwald <hb@zecure.org> * URL : https://shadowd.zecure.org/ * License : GPL Programming Lang: C++ Description : Shadow Daemon web application firewall server shadowd is the main component of the web application firewall Shadow Daemon. Currently it is possible to use Shadow Daemon to protect PHP, Perl and Python web applications by detecting and removing malicious user input. The firewall intercepts requests and uses a combination of white- and blacklisting to detect attacks. More detailed information can be found on the homepage. A new, fancier homepage is in the works and will be released shortly. The development of all components is public and takes place at https://github.com/zecure. The Debian packages and files are hosted at https://shadowd.zecure.org/files/debian/. I would be grateful if someone is interested in sponsoring me, because I think better web application security is of great importance :)

Unfortunately I am not a DD, so I can not sponsor, however I do have a few comments:

In prerm, you manually stop shadowd. You do not have to do that; dh_installinit already does it itself (you can check the generated prerm in the .deb).

In postrm, you manually delete the config file and config directory on purge. You do not have to do that, because they will be automatically be deleted because they are owned by the shadowd package.

In control, you explicitly list the libraries it depends on (e.g. libcrypto++9). Why did you add that? Were ${shlibs:Depends} and ${misc:Depends} not adding all the libraries that you listed in the build depends field / the libraries shadowd linked to?

This one I am not 100% on, so you may want to look at other packages for reference or ask on debian-mentors if that does not help. Anyway, I believe that users and groups are supposed to be left around, even after a package is purged. Otherwise a new package would inherit the same UID and with it access to potentially security sensitive files. So it is best to remove the entire postrm.

Also, I have written an Upstart job that I would appreciate you including in the package. (Just put it into the debian/ directory under the filename `shadowd.upstart`).

Lastly, you may want to put your package on mentors.debian.org so that people can look at the lintian results at a glance.

Good luck!

--

Cameron Norman

description "Shadow Daemon Web Application Firewall"

start on runlevel [2345]
stop on runlevel [016] or unmounting-filesystem

exec /usr/bin/shadowd -c /etc/shadowd/shadowd.ini -U shadowd -G shadowd

Reply to:

References:
- Bug#776012: RFS: shadowd/1.0.0 [ITP: #775998]
  - From: Hendrik Buchwald <hb@zecure.org>

Prev by Date: Bug#776023: RFS: pcmanfm/1.2.3-1.1 [RC]
Next by Date: Bug#776023: marked as done (RFS: pcmanfm/1.2.3-1.1 [RC])
Previous by thread: Bug#776012: RFS: shadowd/1.0.0 [ITP: #775998]
Next by thread: Bug#776012: RFS: shadowd/1.0.0 [ITP: #775998]
Index(es):
- Date
- Thread